CVE-2018-1263 in Pivotal Software and VMware Products
Published on May 15, 2018
Addresses partial fix in CVE-2018-1261. Pivotal spring-integration-zip, versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Products Associated with CVE-2018-1263
stack.watch emails you whenever new vulnerabilities are published in Pivotal Software Spring Integration Zip or VMware Spring Integration Zip. Just hit a watch button to start following.
Affected Versions
Pivotal Spring Integration Zip Version versions prior to 1.0.2 is affected by CVE-2018-1263Exploit Probability
EPSS
0.73%
Percentile
72.38%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.